At DICK’S Sporting Goods, we believe in how positively sports can change lives. On our team, everyone plays a critical role in creating confidence and excitement by personally equipping all athletes to achieve their dreams. We are committed to creating an inclusive and diverse workforce, reflecting the communities we serve.
If you are ready to make a difference as part of the world’s greatest sports team, apply to join our team today!
OVERVIEW:
The Senior Manager, Information Security & Risk Managementis responsible forbuilding, leading, and maturing the enterprise informationsecurityrisk management program and the Governance, Risk, and Compliance (GRC) platform that enables it. This role owns the people, process, and technology underpinning risk identification, assessment, treatment, reporting, and assurance. The ideal candidate brings deep experience in security risk frameworks, control assurance, and GRC product ownership-translating complex risk into clear business decisions and automating workflows for scale.
Strategy & Leadership(People)
Build and lead a high-performing GRC/risk team (analysts, engineers, control owners), including hiring, coaching, performance management, and succession planning.
Serve as the product owner for the GRC platform, setting vision, roadmap, priorities, and adoption goals; lead a cross-functional virtual team of process owners (IT, Engineering, Privacy, Legal, Procurement, Audit).
Act as a trusted advisor to senior leaders on risk appetite, emerging risks, and investment trade-offs; communicate risk in business terms.
Establish a culture of accountability and continuous improvement across control owners and process stakeholders.
Risk Management Program(Process)
Design, implement, and matureanenterpriseInformationSecurityRisk Management (ISRM)program aligned to business strategy and regulatory requirements.
Define and operationalize risk taxonomy, risk appetite/thresholds, andrisk assessment methodologies(inherent/residual, likelihood/impact, qualitative/quantitative whereappropriate).
Stand up end-to-end risk workflows: identification → assessment → treatment planning → control implementation → monitoring → metrics → reporting.
Integrate risk management with strategic planning, project/architecture reviews, third-party risk, privacy, resilience/BCP/DR, and audit.
Establish andmaintaintheInformation Security Policy & Standards framework; ensure clearcontrolownership and maintenance cadence.
Run the issue/exception/waiver process: risk acceptance, remediation tracking, andexpirationgovernance.
Coordinate audit readiness and responses (internal audit, external audit, regulatory inquiries); ensure defensible evidence management.
GRC Platform Ownership (Technology)
Own theselection, implementation, configuration, and continuous improvement of theGRC platform(e.g., ServiceNow GRC, Archer,OneTrust,LogicGate, MetricStream, similar).
Engineer scalable workflows for risk assessments, control testing, issue management, vendor risk, policy lifecycle, SOX/ITGC, and automated evidence collection.
Build andmaintainauthoritativecontrol librariesmapped to frameworks (e.g., NIST CSF/800-53, ISO 27001, SOC 2, PCI DSS, HIPAA, SOX, CIS).
Implement integrations with core systems (e.g., IAM, CMDB, ticketing, CI/CD, cloud security tools, vulnerability management, procurement, ERP) to drive control automation and near-real-time monitoring.
Define and publishdashboards and KPIs/KRIsfor executive reporting; enable self-service analytics and board-level reporting packages.
Assurance & Continuous Monitoring
Establish a risk-basedcontrol testingand continuous control monitoring (CCM) program; leverage automation for evidencecaptureand evaluation.
Oversee security exceptions, findings, and remediation programs with clear SLAs and escalation paths.
Coordinate scenario analysis and tabletop exercises for key risks (e.g., ransomware, data exfiltration, third-party outage).
Partner with Security Engineering and Operations to connect risk insights to detection, vulnerability, and incident response priorities.
Third-Party & Product/Project Risk
Mature third-party risk management (TPRM) withtiering, due diligence, contract clauses, continuous monitoring, andexit strategies.
Embed risk reviews in SDLC and project governance (architecture boards, change management, M&A diligence/integration).
Preferred Qualifications:
Demonstrated experience standing up or significantly maturing an enterprise risk management program and owning a GRC solution end-to-end.
Strong knowledge of risk and control frameworks and regulations: NIST CSF/800-53, ISO 27001, SOC 2, SOX/ITGC, PCI DSS, HIPAA, CIS, and data protection/privacy (e.g., GDPR, CCPA/CPRA).
Hands-on experience designing automated workflows, building dashboards, and integrating GRC with IT/security tooling.
Exceptional communication and stakeholder management skills; proven ability to translate technical risk into business impacts and priorities.
Security or audit certifications:CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, CISA.
Experience with risk quantification approaches (e.g.,FAIR) and board-level reporting.
Background in cloud and modern engineering environments (AWS/Azure/GCP,DevSecOps, SaaS).
QUALIFICATIONS:
7-10yearsprogressive experience in Information Security, Risk, or Audit with 3–5+ years leading teams and/or owning a GRC platform.
dickssportinggoods